5.4.5.2.2 TLS Fatal Alerts

The CredSSP protocol leverages TLS Alert Messages with the level set to Fatal ([RFC2246] section 7.2, [RFC4346] section 7.2, and [RFC5246] section 7.2) to report error conditions. The alert messages that can be transmitted are summarized in the following table.

TLS Alert Code

Meaning

TLS1_ALERT_UNEXPECTED_MESSAGE

10

An inappropriate message was received.

TLS1_ALERT_DECRYPTION_FAILED

21

Ciphertext was decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were incorrect.

TLS1_ALERT_BAD_CERTIFICATE

42

A certificate was corrupt; for example, it contained signatures that did not verify correctly.

TLS1_ALERT_CERTIFICATE_EXPIRED

45

A certificate has expired or is not currently valid.

TLS1_ALERT_UNKNOWN_CA

48

A valid certificate chain or partial chain was received, but the certificate was not accepted because the certification authority (CA) certificate could not be located or could not be matched with a known, trusted CA.

TLS1_ALERT_ACCESS_DENIED

49

A login failure occurred due to invalid credentials.

TLS1_ALERT_INTERNAL_ERROR

80

A generic, catch-all error code.